Jump to content

Antivirus 2010 prevents mbam.exe from running even after file name change


Recommended Posts

I have been infected with Antivirus 2010. I followed the removal instructions and launch mbam.exe. It launches, runs about 10 seconds and then goes away. I have tried renaming the file, running in safe mode, and reinstalling mbam to no avail. Every post I have found shows mbam.exe will solve my problem if I can get it to run. Please help as access to my computer is urgent.

Link to post
Share on other sites

I ran rkill and it doesn't list any "Services Stopped" or "Processes Termniated" and says: Rkill completed.

I ran exehelper and the log is here:

exeHelper by Raktor

Build 20100414

Run at 12:11:10 on 09/27/10

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

exeHelper by Raktor

Build 20100414

Run at 12:19:16 on 09/27/10

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

Then I ran MBAM and made sure it updated and it once again shut down after 8 seconds.

This is frustrating to no end since I know I just need to get mbam to run. What do I do now?

Link to post
Share on other sites

See if you can download and run ComboFix, rename it to something like dbfgtr.exe or dbfgtr.com.

-------------------------

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

MrC

Link to post
Share on other sites

I'm looking over the ComboFix log and you still have a lot of malware on the system.

You can run SUPERAntiSpyware Portable Scanner, there's info on at in the link below:

http://maddoktor2.com/forums/index.php/topic,37030.0.html

Please update it before you run it!!!

Just note the warning about it:

Please note: Windows must load for this scanner to work and also the scanner is saved under a random filename so that malware infections won't block the scanner.

Once you close the program, the logs and quarantined items are lost, so please look over what was quarantined (especially files located in system32) before closing SAS.

Let me know, MrC

Link to post
Share on other sites

You lost your job, what do you think I'm doing here :)

--------------------------

First...please do this:

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

del /a/f/q "C:\WINDOWS\Tasks\At*.job"

Save this as delete.bat and choose to Save as type: - All Files then close the Notepad file.

It should look like this: bat.JPG

Double-click on delete.bat and allow it to run. Please delete the file afterwards.

----------------------------

All these programs are infected, hopefully ComboFix and clean them.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\documents and settings\All Users\Application Data\v7FaM5nW.exe

RenV::

c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe

c:\program files\Common Files\logishrd\LComMgr\Communications_Helper .exe

c:\program files\Common Files\Real\Update_OB\realsched .exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe

c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET .exe

c:\program files\Creative\Shared Files\Module Loader\DLLML .exe

c:\program files\CyberLink\PCM4Everio\EverioService .exe

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe

c:\program files\HP\HP Software Update\HPWuSchd2 .exe

c:\program files\HP\hpcoretech\hpcmpmgr .exe

c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe

c:\program files\iTunes\iTunesHelper .exe

c:\program files\Java\jre1.5.0_09\bin\jusched .exe

c:\program files\Logitech\QuickCam\Quickcam .exe

c:\program files\Microsoft Office\Office12\GrooveMonitor .exe

c:\program files\Roxio\CinePlayer\DMXLauncher .exe

c:\program files\Skype\Phone\Skype .exe

c:\program files\Yahoo!\Messenger\YahooMessenger .exe

c:\program files\Yahoo!\Search Protection\SearchProtection .exe

c:\windows\UpdReg .exe

c:\windows\ehome\ehtray .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

Sorry to hear about your employment status. I feel your pain. I have found the best job search sites outside of monster & careerbuilder are indeed.com, simplyhired.com, dice.com, and on postings that are listed through linkedin.com. Hope one of them can help you.

The system crashed when I ran the program you described. I cannot get it to reboot.

Link to post
Share on other sites

Unfortunately these things happen when trying to remove malware from a badly infected computer.

ComboFix makes a back up of the registry before it runs, lets see if we can restore it:

1. Restart your computer

2. Before Windows loads, you will be prompted to choose which Operating System to start

3. Use the up and down arrow key to select Microsoft Windows Recovery Console

4. You must enter which Windows installation to log onto. Type 1 and press enter.

5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

If that doesn't work..try cd erdnt\hiv-backup

6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.

8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

Let me know, MrC

Link to post
Share on other sites

I just noticed something in your ComboFix log.

ComboFix was running from K:\

It should have been run from your desktop.

ComboFix 10-09-26.04 - HP_Administrator 09/27/2010 13:03:47.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1493 [GMT -4:00]

Running from: K:\Combo-Fix.exe

AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

MrC

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.